Step 2: Installation of HWF (HORIZONT Web Framework)
ProcMan requires PHP and a Webserver, which we deliver in the so-called HORIZONT Web Framework (HWF). This document only describes how to install HWF for ProcMan.
1. Download HWF
Download the latest HWF installation package from the HORIZONT customer portal (e.g. HWF V6.0.6) and extract it somewhere on the target system.
2. Optional: Install/update the Microsoft Visual Studio C++ runtime
Install/update the Microsoft Visual Studio C++ runtime (MSVC) manually. Navigate to ../hwf/contrib/ and search for all the vcredist_x64-YYYY.exe files. Run them all as administrator.
3. Run the setup.cmd
Now run the setup.cmd in the downloaded HWF package as administrator and follow the installation steps.
Important things to consider:
In step 1 set the correct installation directory of the existing HWF installation.
In step 4 choose "no" if you decided to install/update the MSVC manually.
There is no need to set the TNS_ADMIN and DB2INSTANCE options in the HWF installation dialog for ProcMan, as they are ignored. They can be left empty (which is the default).
Do not install HDB (HORIZONT Database Module) after the HWF installation, which is asked in the HWF installation dialog after HWF installation finished.
4. Enable full version of DB2 client
There is a light version of the DB2 Client installed with HWF. After the installation of HWF the PATH system variable contains the path to this light version of the DB2 client in the beginning, which disables the full version of the DB2 client required by ProcMan.
To correct this, after HWF installation, remove from the content of the PATH variable the following part:
After changing the content of the PATH variable you have to restart the Web Server (e.g. in Windows’s Services dialog restart the HORIZONT HTTP Server service) before the change takes effect.
5. Verify HWF installation
6. Recommended: Configuring the HWF service to run with a special user
For security reasons it is strongly recommended to change the user under which the by HWF installed service HORIZONT HTTP Server runs.
Windows
By default, the HORIZONT HTTP Server service runs under the Local System account, which is highly privileged—more so than a standard administrator account in certain areas. For better security and manageability, it is strongly recommended to run the service under a dedicated local or domain user account with limited privileges.
This guide walks you through:
Creating or assigning a restricted user
Granting required filesystem and DB2 access
Running the service under the new user
Configuring permissions to allow restarting the service from ProcMan
Step 1: Create or Select a Service User
Create a local user in Windows or use an existing local/domain user.
Ensure the user has a non-expiring password.
Grant this user modify permissions on the HORIZONT installation directory (by default
C:\HORIZONT) and all its subdirectories.
Step 2: Assign DB2 Access (if applicable)
If the DB2 Client was installed with Windows Authentication, it creates two local user groups:
DB2ADMNSDB2USERS
Add the service user to the DB2USERS group to allow DB2 access while maintaining minimal privilege.
Step 3: Configure the Service to Run Under the User
Open the Services management console:
Control Panel → System and Security → Administrative Tools → ServicesLocate the HORIZONT HTTP Server service.
Double-click to open its properties and go to the Log On tab.
Select "This account", enter the user credentials created/selected in Step 1, and confirm.
Click OK and restart the service.
Step 4: Allow the User to Restart the Service via ProcMan
By default, only administrators and system accounts can start/stop services. To allow the non-admin service user to restart the web server (e.g. via ProcMan), follow these steps using the Microsoft Management Console (MMC):
A. Prepare a Custom Security Template
Open MMC as administrator:
Press
Win + R, typemmc, and press Enter.
From the menu:
File → Add/Remove Snap-in…Add the following snap-ins:
Security Templates
Click OK
In the Security Templates tree, select a directory (e.g.,
C:\Windows\Security\Templates) and then:Action → New Template
Enter a name and (optional) description for the template and click OK.
B. Define Service Permissions in the Template
Under your new template, go to:
System Services → HORIZONT HTTP ServerRight-click and select:
Action → PropertiesIn the dialog:
Check: "Define this policy setting in the template"
Set Startup mode to
AutomaticClick Edit Security
In the security dialog:
Add the dedicated service user
Grant the permission: Start, stop, and pause
Click OK to close all dialogs and save the template.
C. Apply the Security Template
Again, open:
File → Add/Remove Snap-in…Add:
Security Configuration and AnalysisClick OKIn the snap-in:
Action → Open DatabaseChoose a name for the database file (e.g.
horizont_service_config)
When prompted, select the template you created earlier.
Then run:
Action → Configure Computer NowAfter applying, restart the HORIZONT HTTP Server service once manually as an administrator to ensure new permissions take effect.
Important Notes
These permission changes are persistent and survive system restarts.
The MMC interface may vary slightly between Windows versions.
Always verify service functionality after changing its user context or security settings.
Linux
The web server switches automatically after it is started to run under a lower privileged user. So there is nothing to be done explicitly.
If it should be later possible to restart the web server by an administrator from the ProcMan dialog, the user under which the web server is running, has to be authorized to restart the web server. For this the user has to be authorized to start the httpd program as a super user using the sudo command without a tty session and without entering a password. To allow this open the file /etc/sudoers for editing. If there is a line like this
comment it out with a hash (#) in the beginning of the line. Further add a line like this
in the file /etc/sudoers. Replace <httpd_user> by the proper user name. Replace <httpd_path> by the proper path to the httpd program. For example:
Last updated
